Simplify X509CredentialValidator after generic validation refactor #4086
Description
Parent PRD
What to build
After CRL/cert-time validation has moved to the did:x509 resolver (#4083), key time-based checks have moved to the key resolver (#4084), and issuer attribute matching has moved to the generic Verify function (#4085), the X509CredentialValidator contains only duplicated logic.
- Remove the remaining duplicated logic from
X509CredentialValidator - Either simplify it to delegate to
defaultCredentialValidatoror remove it entirely - Simplify the
FindValidatordispatch inresolver.go— remove theX509CredentialTypecase if the validator is removed - Verify all existing tests pass with no behavior changes
Acceptance criteria
-
X509CredentialValidatorno longer contains CRL, cert-time, or policy assertion logic -
FindValidatordispatch is simplified or the X509 case is removed - All existing X509Credential tests pass unchanged
- All existing s2s flow tests pass unchanged
- No regression in credential validation behavior for any credential type
Blocked by
- Blocked by did:x509 resolver: CRL check and set expires/revoked on keys #4083 (CRL/cert-time in did:x509 resolver)
- Blocked by Key resolver: check expires/revoked against reference time #4084 (key resolver time checks)
- Blocked by Generic issuer-to-credentialSubject attribute matching for did:x509 #4085 (generic attribute matching)
User stories addressed
- User story 7: existing behavior preserved
- User story 8: validation architecture follows PSA layered model